CVE-2022-0317

Name of the Vulnerable Software and Affected Versions go-attestation versions prior to 0.4.0

Description The issue is caused by improper input validation in AKPublic.Verify, allowing local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot.

Recommendations For go-attestation versions prior to 0.4.0, upgrade to version 0.4.0 or above to resolve the issue. If your usage of this library verifies PCRs using multiple quotes, make sure to use the new method AKPublic.VerifyAll() instead of AKPublic.Verify.